openbao/vault/inspectable_test.go at main · Gabrielopesantos/openbao · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package vault

import (
	"strings"
	"testing"

	"github.com/openbao/openbao/command/server"
	"github.com/openbao/openbao/helper/namespace"
	"github.com/openbao/openbao/sdk/v2/logical"
)

func TestInspectRouter(t *testing.T) {
	// Verify that all the expected tables exist when we inspect the router
	coreConfig := &CoreConfig{
		EnableIntrospection: true,
	}
	c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)

	rootCtx := namespace.RootContext(nil)
	subTrees := map[string][]string{
		"routeEntry": {"root", "storage"},
		"mountEntry": {"uuid", "accessor"},
	}
	subTreeFields := map[string][]string{
		"routeEntry": {"tainted", "storage_prefix", "accessor", "mount_namespace", "mount_path", "mount_type", "uuid"},
		"mountEntry": {"accessor", "mount_namespace", "mount_path", "mount_type", "uuid"},
	}
	for subTreeType, subTreeArray := range subTrees {
		for _, tag := range subTreeArray {
			resp, err := c.HandleRequest(rootCtx, &logical.Request{
				ClientToken: root,
				Operation:   logical.ReadOperation,
				Path:        "sys/internal/inspect/router/" + tag,
			})
			if err != nil || (resp != nil && resp.IsError()) {
				t.Fatalf("bad: resp: %#v\n err: %v", resp, err)
			}
			// Verify that data exists
			data, ok := resp.Data[tag].([]map[string]interface{})
			if !ok {
				t.Fatal("Router data is malformed")
			}
			for _, entry := range data {
				for _, field := range subTreeFields[subTreeType] {
					if _, ok := entry[field]; !ok {
						t.Fatalf("Field %s not found in %s", field, tag)
					}
				}
			}

		}
	}
}

func TestInvalidInspectRouterPath(t *testing.T) {
	// Verify that attempting to inspect an invalid tree in the router fails
	coreConfig := &CoreConfig{
		EnableIntrospection: true,
	}
	core, _, rootToken := TestCoreUnsealedWithConfig(t, coreConfig)
	rootCtx := namespace.RootContext(nil)
	_, err := core.HandleRequest(rootCtx, &logical.Request{
		ClientToken: rootToken,
		Operation:   logical.ReadOperation,
		Path:        "sys/internal/inspect/router/random",
	})
	if !strings.Contains(err.Error(), logical.ErrUnsupportedPath.Error()) {
		t.Fatal("expected unsupported path error")
	}
}

func TestInspectAPIDisabled(t *testing.T) {
	// Verify that the Inspect API is turned off by default
	core, _, rootToken := testCoreSystemBackend(t)
	rootCtx := namespace.RootContext(nil)
	resp, err := core.HandleRequest(rootCtx, &logical.Request{
		ClientToken: rootToken,
		Operation:   logical.ReadOperation,
		Path:        "sys/internal/inspect/router/root",
	})
	if err != nil {
		t.Fatal(err)
	}
	if !resp.IsError() || !strings.Contains(resp.Error().Error(), ErrIntrospectionNotEnabled.Error()) {
		t.Fatal("expected invalid configuration error")
	}
}

func TestInspectAPISudoProtect(t *testing.T) {
	// Verify that the Inspect API path is sudo protected
	core, _, rootToken := testCoreSystemBackend(t)
	testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"})
	rootCtx := namespace.RootContext(nil)
	_, err := core.HandleRequest(rootCtx, &logical.Request{
		ClientToken: "tokenid",
		Operation:   logical.ReadOperation,
		Path:        "sys/internal/inspect/router/root",
	})
	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
		t.Fatal("expected permission denied error")
	}
}

func TestInspectAPIReload(t *testing.T) {
	// Verify that the Inspect API is turned off by default
	core, _, rootToken := testCoreSystemBackend(t)
	rootCtx := namespace.RootContext(nil)
	resp, err := core.HandleRequest(rootCtx, &logical.Request{
		ClientToken: rootToken,
		Operation:   logical.ReadOperation,
		Path:        "sys/internal/inspect/router/root",
	})
	if err != nil {
		t.Fatal("Unexpected error")
	}
	if !resp.IsError() {
		t.Fatal("expected invalid configuration error")
	}
	if !strings.Contains(resp.Error().Error(), ErrIntrospectionNotEnabled.Error()) {
		t.Fatalf("expected invalid configuration error but received: %s", resp.Error())
	}

	originalConfig := core.rawConfig.Load().(*server.Config)
	newConfig := originalConfig
	newConfig.EnableIntrospectionEndpointRaw = true
	newConfig.EnableIntrospectionEndpoint = true

	// Reload Endpoint
	core.SetConfig(newConfig)
	core.ReloadIntrospectionEndpointEnabled()

	resp, err = core.HandleRequest(rootCtx, &logical.Request{
		ClientToken: rootToken,
		Operation:   logical.ReadOperation,
		Path:        "sys/internal/inspect/router/root",
	})
	if err != nil || resp.IsError() {
		t.Fatal("Unexpected error after reload")
	}
}